From: Tobias Brunner Date: Fri, 26 Jul 2024 14:56:32 +0000 (+0200) Subject: testing: Add ikev2/start-action-start scenario X-Git-Tag: android-2.5.2~4^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56b6eeb385df87b39e48a5c07d2ff304811ff222;p=thirdparty%2Fstrongswan.git testing: Add ikev2/start-action-start scenario This tests the behavior for configs with start_action=start during reloads of the config (updates/removal). --- diff --git a/testing/tests/ikev2/start-action-start/description.txt b/testing/tests/ikev2/start-action-start/description.txt new file mode 100644 index 0000000000..a755f1ef92 --- /dev/null +++ b/testing/tests/ikev2/start-action-start/description.txt @@ -0,0 +1,3 @@ +This scenario tests start_action=start and its behavior when reloading the +config. To distinguish the different CHILD_SAs, arbitrary TCP ports are used in +the traffic selectors. diff --git a/testing/tests/ikev2/start-action-start/evaltest.dat b/testing/tests/ikev2/start-action-start/evaltest.dat new file mode 100644 index 0000000000..5eeac52c8a --- /dev/null +++ b/testing/tests/ikev2/start-action-start/evaltest.dat @@ -0,0 +1,56 @@ +moon::cat /var/log/daemon.log::vici initiating 'one-start'::YES +moon::cat /var/log/daemon.log::vici initiating 'two-start-.'::2 +moon::cat /var/log/daemon.log::vici initiating 'four-start-.'::4 +moon::cat /var/log/daemon.log::vici initiating 'one-start-child'::YES +moon::cat /var/log/daemon.log::vici initiating 'two-start-child-.'::2 +moon::cat /var/log/daemon.log::vici initiating 'four-start-child-.'::4 +moon::mv /etc/swanctl/swanctl-update.conf /etc/swanctl/conf.d/ +moon::systemctl reload strongswan +moon::sleep 3 +moon::cat /var/log/daemon.log::replaced vici connection: one-start::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'one-start'::YES +moon::cat /var/log/daemon.log::replaced vici connection: two-start::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'two-start'::YES +moon::cat /var/log/daemon.log::replaced vici connection: four-start::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'four-start'::YES +moon::cat /var/log/daemon.log::updated vici connection: one-start-child::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'one-start-child'::NO +moon::cat /var/log/daemon.log::vici closing CHILD_SA 'one-start-child'::YES +moon::cat /var/log/daemon.log::updated vici connection: two-start-child::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'two-start-child'::NO +moon::cat /var/log/daemon.log::vici closing CHILD_SA 'two-start-child-.'::2 +moon::cat /var/log/daemon.log::updated vici connection: four-start-child::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'four-start-child'::NO +moon::cat /var/log/daemon.log::vici closing CHILD_SA 'four-start-child-.'::4 +moon::cat /var/log/daemon.log::vici initiating 'one-start'::2 +moon::cat /var/log/daemon.log::vici initiating 'two-start-.'::4 +moon::cat /var/log/daemon.log::vici initiating 'four-start-.'::8 +moon::cat /var/log/daemon.log::vici initiating 'one-start-child'::2 +moon::cat /var/log/daemon.log::vici initiating 'two-start-child-.'::4 +moon::cat /var/log/daemon.log::vici initiating 'four-start-child-.'::8 +moon::rm /etc/swanctl/conf.d/* +moon::mv /etc/swanctl/swanctl-remove.conf /etc/swanctl/conf.d/ +moon::systemctl reload strongswan +moon::sleep 3 +moon::cat /var/log/daemon.log::removed vici connection: one-start::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'one-start'::2 +moon::cat /var/log/daemon.log::removed vici connection: two-start::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'two-start'::2 +moon::cat /var/log/daemon.log::removed vici connection: four-start::YES +moon::cat /var/log/daemon.log::vici closing IKE_SA 'four-start'::2 +moon::cat /var/log/daemon.log::updated vici connection: one-start-child::2 +moon::cat /var/log/daemon.log::vici closing IKE_SA 'one-start-child'::YES +moon::cat /var/log/daemon.log::updated vici connection: two-start-child::2 +moon::cat /var/log/daemon.log::vici closing IKE_SA 'two-start-child'::NO +moon::cat /var/log/daemon.log::vici closing CHILD_SA 'two-start-child-1' #..::NO +moon::cat /var/log/daemon.log::vici closing CHILD_SA 'two-start-child-2' #..::YES +moon::cat /var/log/daemon.log::updated vici connection: four-start-child::2 +moon::cat /var/log/daemon.log::vici closing IKE_SA 'four-start-child'::NO +moon::cat /var/log/daemon.log::vici closing CHILD_SA 'four-start-child-.'::8 +# only the last one here should change +moon::cat /var/log/daemon.log::vici initiating 'one-start'::2 +moon::cat /var/log/daemon.log::vici initiating 'two-start-.'::4 +moon::cat /var/log/daemon.log::vici initiating 'four-start-.'::8 +moon::cat /var/log/daemon.log::vici initiating 'one-start-child'::2 +moon::cat /var/log/daemon.log::vici initiating 'two-start-child-.'::4 +moon::cat /var/log/daemon.log::vici initiating 'four-start-child-.'::10 diff --git a/testing/tests/ikev2/start-action-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/start-action-start/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..b4864e158d --- /dev/null +++ b/testing/tests/ikev2/start-action-start/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/conf.d/swanctl-base.conf b/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/conf.d/swanctl-base.conf new file mode 100755 index 0000000000..6cac0d73a8 --- /dev/null +++ b/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/conf.d/swanctl-base.conf @@ -0,0 +1,161 @@ +# basic settings for these test configs +base-conn { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = psk + } + remote { + auth = psk + } +} + +connections { + + # when updating, we'll change ike/peer parameters for these + + one-start : base-conn { + local { + id = moon-one + } + remote { + id = sun-one + } + children { + one-start { + local_ts = dynamic[tcp/1001] + remote_ts = dynamic[tcp/1001] + start_action = start + } + } + } + + two-start : base-conn { + local { + id = moon-two + } + remote { + id = sun-two + } + children { + two-start-1 { + local_ts = dynamic[tcp/2001] + remote_ts = dynamic[tcp/2001] + start_action = start + } + two-start-2 { + local_ts = dynamic[tcp/2002] + remote_ts = dynamic[tcp/2002] + start_action = start + } + } + } + + four-start : base-conn { + local { + id = moon-four + } + remote { + id = sun-four + } + children { + four-start-1 { + local_ts = dynamic[tcp/4001] + remote_ts = dynamic[tcp/4001] + start_action = start + } + four-start-2 { + local_ts = dynamic[tcp/4002] + remote_ts = dynamic[tcp/4002] + start_action = start + } + four-start-3 { + local_ts = dynamic[tcp/4003] + remote_ts = dynamic[tcp/4003] + start_action = start + } + four-start-4 { + local_ts = dynamic[tcp/4004] + remote_ts = dynamic[tcp/4004] + start_action = start + } + } + } + + # when updating, we'll change only child parameters for these + + one-start-child : base-conn { + local { + id = moon-one-child + } + remote { + id = sun-one-child + } + children { + one-start-child { + local_ts = dynamic[tcp/1101] + remote_ts = dynamic[tcp/1101] + start_action = start + } + } + } + + two-start-child : base-conn { + local { + id = moon-two-child + } + remote { + id = sun-two-child + } + children { + two-start-child-1 { + local_ts = dynamic[tcp/2201] + remote_ts = dynamic[tcp/2201] + start_action = start + } + two-start-child-2 { + local_ts = dynamic[tcp/2202] + remote_ts = dynamic[tcp/2202] + start_action = start + } + } + } + + four-start-child : base-conn { + local { + id = moon-four-child + } + remote { + id = sun-four-child + } + children { + four-start-child-1 { + local_ts = dynamic[tcp/4401] + remote_ts = dynamic[tcp/4401] + start_action = start + } + four-start-child-2 { + local_ts = dynamic[tcp/4402] + remote_ts = dynamic[tcp/4402] + start_action = start + } + four-start-child-3 { + local_ts = dynamic[tcp/4403] + remote_ts = dynamic[tcp/4403] + start_action = start + } + four-start-child-4 { + local_ts = dynamic[tcp/4404] + remote_ts = dynamic[tcp/4404] + start_action = start + } + } + } +} + +secrets { + ike { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl-remove.conf b/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl-remove.conf new file mode 100755 index 0000000000..476b784bce --- /dev/null +++ b/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl-remove.conf @@ -0,0 +1,75 @@ +# basic settings for these test configs +base-conn { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = psk + } + remote { + auth = psk + } +} + +connections { + + # the initial connections are removed completely + + # here all child configs are removed + one-start-child : base-conn { + local { + id = moon-one-child + } + remote { + id = sun-one-child + } + } + + # here only one is removed, the other remains unchanged + two-start-child : base-conn { + local { + id = moon-two-child + } + remote { + id = sun-two-child + } + children { + two-start-child-1 { + local_ts = dynamic[tcp/2201] + remote_ts = dynamic[tcp/2201] + rekey_time = 42m + start_action = start + } + } + } + + # here two are removed, the others are updated + four-start-child : base-conn { + local { + id = moon-four-child + } + remote { + id = sun-four-child + } + children { + four-start-child-1 { + local_ts = dynamic[tcp/4401] + remote_ts = dynamic[tcp/4401] + rekey_time = 420m + start_action = start + } + four-start-child-2 { + local_ts = dynamic[tcp/4402] + remote_ts = dynamic[tcp/4402] + rekey_time = 420m + start_action = start + } + } + } +} + +secrets { + ike { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl-update.conf b/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl-update.conf new file mode 100755 index 0000000000..fc2497f984 --- /dev/null +++ b/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl-update.conf @@ -0,0 +1,56 @@ +connections { + + # update the rekey time for the IKE_SA for the first connections, so they + # get replaced completely + + one-start { + rekey_time = 42m + } + + two-start { + rekey_time = 42m + } + + four-start { + rekey_time = 42m + } + + # for these connections, the rekey time for the children is updated, so the + # IKE_SAs should remain + + one-start-child { + children { + one-start-child { + rekey_time = 42m + } + } + } + + two-start-child { + children { + two-start-child-1 { + rekey_time = 42m + } + two-start-child-2 { + rekey_time = 42m + } + } + } + + four-start-child { + children { + four-start-child-1 { + rekey_time = 42m + } + four-start-child-2 { + rekey_time = 42m + } + four-start-child-3 { + rekey_time = 42m + } + four-start-child-4 { + rekey_time = 42m + } + } + } +} diff --git a/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..94b1a419cd --- /dev/null +++ b/testing/tests/ikev2/start-action-start/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,2 @@ +# include config files from conf.d/ +include conf.d/*.conf diff --git a/testing/tests/ikev2/start-action-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/start-action-start/hosts/sun/etc/strongswan.conf new file mode 100644 index 0000000000..b21f14de58 --- /dev/null +++ b/testing/tests/ikev2/start-action-start/hosts/sun/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown + + # disable DoS protection as the initator will create a lot of IKE_SAs in this scenario + dos_protection = no +} diff --git a/testing/tests/ikev2/start-action-start/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/start-action-start/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..6550cce0fd --- /dev/null +++ b/testing/tests/ikev2/start-action-start/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,143 @@ +# basic settings for these test configs +base-conn { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = psk + } + remote { + auth = psk + } +} + +connections { + + one-start : base-conn { + local { + id = sun-one + } + remote { + id = moon-one + } + children { + one-start { + local_ts = dynamic[tcp/1001] + remote_ts = dynamic[tcp/1001] + } + } + } + + two-start : base-conn { + local { + id = sun-two + } + remote { + id = moon-two + } + children { + two-start-1 { + local_ts = dynamic[tcp/2001] + remote_ts = dynamic[tcp/2001] + } + two-start-2 { + local_ts = dynamic[tcp/2002] + remote_ts = dynamic[tcp/2002] + } + } + } + + four-start : base-conn { + local { + id = sun-four + } + remote { + id = moon-four + } + children { + four-start-1 { + local_ts = dynamic[tcp/4001] + remote_ts = dynamic[tcp/4001] + } + four-start-2 { + local_ts = dynamic[tcp/4002] + remote_ts = dynamic[tcp/4002] + } + four-start-3 { + local_ts = dynamic[tcp/4003] + remote_ts = dynamic[tcp/4003] + } + four-start-4 { + local_ts = dynamic[tcp/4004] + remote_ts = dynamic[tcp/4004] + } + } + } + + one-start-child : base-conn { + local { + id = sun-one-child + } + remote { + id = moon-one-child + } + children { + one-start-child { + local_ts = dynamic[tcp/1101] + remote_ts = dynamic[tcp/1101] + } + } + } + + two-start-child : base-conn { + local { + id = sun-two-child + } + remote { + id = moon-two-child + } + children { + two-start-child-1 { + local_ts = dynamic[tcp/2201] + remote_ts = dynamic[tcp/2201] + } + two-start-child-2 { + local_ts = dynamic[tcp/2202] + remote_ts = dynamic[tcp/2202] + } + } + } + + four-start-child : base-conn { + local { + id = sun-four-child + } + remote { + id = moon-four-child + } + children { + four-start-child-1 { + local_ts = dynamic[tcp/4401] + remote_ts = dynamic[tcp/4401] + } + four-start-child-2 { + local_ts = dynamic[tcp/4402] + remote_ts = dynamic[tcp/4402] + } + four-start-child-3 { + local_ts = dynamic[tcp/4403] + remote_ts = dynamic[tcp/4403] + } + four-start-child-4 { + local_ts = dynamic[tcp/4404] + remote_ts = dynamic[tcp/4404] + } + } + } +} + +secrets { + ike { + secret = 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + } +} diff --git a/testing/tests/ikev2/start-action-start/posttest.dat b/testing/tests/ikev2/start-action-start/posttest.dat new file mode 100644 index 0000000000..61ea51e535 --- /dev/null +++ b/testing/tests/ikev2/start-action-start/posttest.dat @@ -0,0 +1,5 @@ +sun::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm -rf /etc/swanctl/conf.d/ diff --git a/testing/tests/ikev2/start-action-start/pretest.dat b/testing/tests/ikev2/start-action-start/pretest.dat new file mode 100644 index 0000000000..be5c90b080 --- /dev/null +++ b/testing/tests/ikev2/start-action-start/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +sun::systemctl start strongswan +sun::expect-connection four-start-child +moon::systemctl start strongswan +moon::sleep 3 diff --git a/testing/tests/ikev2/start-action-start/test.conf b/testing/tests/ikev2/start-action-start/test.conf new file mode 100644 index 0000000000..d3016a886c --- /dev/null +++ b/testing/tests/ikev2/start-action-start/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1